Data Protection under the Third Pillar: EU Information Systems and

код для вставки на сайт или в блог

ссылки на документ

Data protection, the fight against terrorism & EU external relations
Data protection, the fight against terrorism & EU
external relations
Paul De Hert (Tilburg & Brussels)
Brussels, 7 November 2007
Table of content
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
What is data protection?
Why was is necessary?
Beginnings of Data Protection
Development of International Data Protection
Data Protection under the Third Pillar
External relations under First Pillar
External relations under Third Pillar
Preliminary remark
пЃ®
I relied for some of the conclusions on the
insights gained after having listened to Diana
Alonso Blas, LL.M., Data Protection
Officer,Eurojust, First Pillar and Third Pillar:
Need for a common approach? International
Conference вЂњReinventing Data ProtectionвЂќ, 12
and 13 October 2007, Brussels
This is data protection
пЃ®
пЃ®
Everyone has the right to the protection of personal
data concerning him or her.
Such data must be processed fairly for specified
purposes and on the basis of the consent of the person
concerned or some other legitimate basis laid down
by law. Everyone has the right of access to data that
has been collected concerning him or her, and the
right to have it rectified. Compliance with these rules
shall be subject to control by an independent
authority.
= Article 8 of the EU Fundamental rights Charter
Why data protection?
пЃ®
пЃ®
пЃ®
Article 8 ECHR does not apply to the private sector.
The right to a private life would not necessarily
include all personal data, and so there was the
question of whether a large proportion of data would
be sufficiently safeguarded.
The right of access to data on oneself was not covered
by the concept of the right to privacy as expressed in
Article 8
Beginnings of data protection
пЃ®1960s:
USA, two major reasons:
1.) Technical progress based on the development of computers
2.) Socio-political reason, raising fear of governmental surveillance вЂњBig
brotherвЂќ
Similar development in Europe
пЃ® 1970 вЂ“ 1981
пЃ®
пЃ®
пЃ®
пЃ®
1970: First law on data protection was enacted by the German
Federal State of Hessen (07.10.1970).
Sweden (1973), Germany (1976), France (1978), Denmark (1978),
Norway (1978), Austria (1978) and Luxembourg (1979) introduced
national legislation on data protection
No role model as basis but had to be innovative in their
own right
Beginnings of data protection (continuation)
пЃ®
1981 Council of Europe:
Convention for the Protection of Individuals with regard to
automatic processing of personal data (entry into force 1985)
пЃ®
пЃ®
First internationally binding instrument on data protection, important
point of orientation for the subsequent national data protection laws
In the following years, data protection legislation was enacted
by
пЃ®
Finland (1987), The Netherlands (1988), Portugal (1991), Spain (1992),
Belgium (1992), Italy and Greece
European Data Protection (general)
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Convention no. 108, January 28, 1981
Directive 95/46/EC of 24 October 1995
Directive 97/66/EC and 2002/58/EC
Regulation (EC) No 45/2001 processing by
Community institutions of 18 December 2000
Charter of Fundamental Rights of 7 December 2000
of the European Union,
Treaty establishing a Constitution for Europe (2002)
пЃ®
Right to data protection (Art. I-51)
International Data Protection (general)
пЃ®
From 1948 privacy rights in various national and regional
human rights bills
пЃ®
From 1970 on data protection laws at national level
пЃ®
1980 OECD: Guidelines on the Protection of Privacy and
Transborder Flows of Personal Data
пЃ® Non-binding, orientation
пЃ®
1990 UN: Guidelines concerning computerized personal
data.
пЃ®
Guidelines for orientation, procedure left to the initiative of each state
Scope of European data protection re JHA
пЃ®
1995 Directive 95/46/EC on the protection of individuals with
regard to the processing of personal data and on the free
movement of such data
пЃ®
пЃ®
пЃ®
пЃ®
First and major First Pillar instrument regulating the processing of
personal data
Not applicable to the processing of data in the course of an activity
which falls outside the scope of Community law (Art. 3 (2) =>
Second and Third Pillar
applied by some MS, in some respects, to law enforcement as well
ECJ view (PNR judgment 30-05-2006)
End of the world?
пЃ®
пЃ®
пЃ®
Article 8 ECHR applies to processing by all public authorities,
incl JHA
Council of Europe Convention 108 (1981), ratified presently
by 38 countries and signed by another 5 also applies to JHA
Article 3 Convention 108: The Parties undertake to apply this
convention to automated personal data files and automatic
processing of personal data in the public and private sectors.
But, is Convention 108 enough?
пЃ®
пЃ®
Convention 108 is quite general: it contains principles, not
detailed regulation
1987 Council of Europe: Recommendation No. R (87) 15
regulating the use of personal data in the police sector
Non-binding, orientation, very old and no willingness to renew them
пЃ® For 1st pillar the EU built on Convention to go further
пЃ®
пЃ®
in
Directive 95/45/EC
Recital (11) of preamble: Whereas the principles of the
protection of the rights and freedoms of individuals, notably
the right to privacy, which are contained in this Directive, give
substance to and amplify those contained in the Council of
Europe Convention of 28 January 1981 for the Protection of
Individuals with regard to Automatic Processing of Personal
Data;
First JHA option: specific data protection rules
пЃ®
пЃ®
пЃ®
1985 Schengen Agreement and 1990 Convention implementing
the Schengen Agreement of 14 June 1985
пЃ® Referring to the principles laid down in the 1981 Convention
and 1987 Recommendation and solid data protection
framework
Council Act of 26 July 1995 drawing up the Convention on the
establishment of a European Police Office (Europol
Convention. The Europol Convention was ratified by all
Member States and came into force on 1 October 1998.
пЃ® Referring to the principles laid down in the 1981 Convention
and 1987 Recommendation and solid data protection
framework
Convention established by the Council in accordance with
Article 34 of the Treaty on European Union, on Mutual
Assistance in Criminal Matters between the Member States of
the European Union, OJ C 197, 12.07.200: general context of
judicial cooperation and some data protection (infra)
Option 1 (continuation)
пЃ®
Council Decision of 28 February 2002 setting up Eurojust with
a view to reinforcing the fight against serious crime. Rules of
procedure on the processing and protection of personal data,
adopted by Council on 24/2/2005 (containing main principles
Directive but also very detailed rules, tailored made to
Eurojust tasks and purposes)
пЃ® Referring to the principles laid down in the 1981
Convention and 1987 Recommendation and solid data
protection framework
пЃ®
May 2005: Treaty of PrГјm (Schengen III Agreement )
пЃ®
Extended information exchange outside the EU framework
Strength of option 1: Europol example
In Covention detailed rules on the use of data:
пЃ®
пЃ®
Clear understanding of intelligence risks to data protection lacking in
Recommendation no (87) 15 by use of different information tools in particular
distinction betweenn Europol Information System (IS), (Criminal Intelligence
database) and the Analysis Work Files (AWF) (Analysis of operational data)
Mandate вЂ“ restrictions & consultation
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Ownership
National Law to be respected
Communication with third states and third bodies
Right of access limited in certain cases for non involved member states
Correction / deletion of data
Time-limits storage / deletion of data
Security
Control mechanisms: see next slide
Control mechanisms in Europol
пЃ®
пЃ®
Europol internal audit
National Supervisory Body (Art. 23
Convention)
пЃ®
Each MS - Designates an NSB
Monitors input independently
пЃ® Personal data
пЃ®
пЃ®
Joint Supervisory Body (Art. 24 Convention)
пЃ®
Ensures individual rights are not violated by data
stored at Europol
Risks of option 1: the Prum example
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Signed in PrГјm & Ratified by the national parliaments of the
seven participating states - Germany, Spain, France, Luxembourg,
Netherlands, Austria and Belgium and now extended to all EU
MS
Not part of the Schengen treaty nor the Schengen acquis
Integration is planned to take place, at the latest, three years after
the entry into force of the
Based on so-called "principle of availability" : the right of access
to the databases/registers of the participating states and gives the
requesting state the possibility to ask for more
information/intelligence.
Data exchange (Article 1-16) see next slide
Sky marshals (Article 17-18)
Fighting illegal migration (Chapter 4)
Joint Interventions (Chapter 5)
Data exchange in PrГјm
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
DNA profiles All participating states have to set up DNA profile databanks and
exchange dna profiles
Fingerprint data The treaty allows, where a specific person is identified, access to
the finger-print databases of the participating states and the automatic comparison
of fingerprints, not only for reasons of criminal prosecution but also for
"prevention". Same hit system for additional information
Vehicle databases can be accessed for criminal prosecutions and for reasons of
preventing dangers for public security and order, ie including supposed threats to
public order . Online access will be carried out according to the law of the
requesting state.
Political demonstrations and other mass events (Articles 13-15) For reasons of
prosecution and prevention of offences and for the prevention of dangers to public
security and order, personal and non personal data can be passed on - following a
request or without request, ie. at the own initiative of a state.
Information exchange to prevent terrorist attacks (art. 16) Data and
intelligence: names and further personal identity plus the reason will; be sent out
across the network, with or without a prior request.
Institutional and Data protection problems with PrГјm
пЃ®
пЃ®
пЃ®
OK: purposes are definied; competent authorities are
defined; duty to see that data is correct and up to
date;technical safeguards to guarantee secrecy; rights
for the persons concerned
Not OK: making terrorism, organised crime and
illegal immigrants one affair; broad categories: why?;
creating more power by centralising data;
Certainly not OK: no supranational supervision: need
for a FD data protection: Court of Justice, 31 January
2006 (c-503/03)
Reason 1 for other (second) JHA option: general data
protection rules: new needs for JHA cooperation
пЃ®
Cooperation in police and judicial criminal
matters increases and is gradually build on
new concepts that challenge data protection
пЃ®
June 2004: Draft Framework Decision on simplifying
the exchange of information and intelligence between
law enforcement agencies of the member states of the
EU, in particular as regards serious offences
including terrorist acts (Swedish Initiative)
пЃ®
пЃ®
Setting time limits to answer requests of information
Removing discrimination between national and intra-EU
exchange of data accessible by police in at least one
Member State
new needs for JHA cooperation (continuation)
пЃ®
January 2005: White Paper on exchanges of information on
convictions and the effect of such convictions in the EU
пЃ®
пЃ®
пЃ®
Nov. 2005: Council Decision on the exchange of information extracted
from the criminal record
Dec. 2005: Proposal for a Framework Decision on the organisation
and content of the exchange of information extracted from criminal
records between Member States
October 2005: Proposal for a Council Framework Decision on
the exchange of information under the principle of availability
пЃ®
Information available to law enforcement authorities in one Member
State be made accessible for equivalent authorities in other Member
States
Reason 2
пЃ®
пЃ®
пЃ®
пЃ®
Difficulties of determining whether the processing and transfering of
personal data falls under the First or Third pillar, e.g.
US demand for Passenger Name Records to private air companies
Commission acts on basis of first pillar
Commission: Regulation for transfer of passenger data by private
airlines = rules for harmonisation of the Internal Market
EP problem with privacy and problem with choice of pillar
ECJ 30 May 2006 Data transfer motivated by concerns of public safety and
= Third Pillar Institutional consequences? Data protection consequences?
Council Decision 2007/551/CFSP/JHA. of 23 July 2007 on the signing, on
behalf of the European Union, of an Agreement between the European
Union and the United States of America on the processing and transfer of
Passenger Name Record (PNR) data by air carriers to the United States
Department of Homeland Security (DHS) (2007 PNR Agreement)
Swift?
A second JHA option: general data protection rules
пЃ®
October 2005: Proposal for a Council Framework Decision on
the protection of personal data processed in the framework of
police and judicial cooperation in criminal matters
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
пЃ®
Clear gap in data protection regulation at EU Third Pillar level
Directive 95/46/EC is not applicable and
Neither the 95/46/EC Directive nor the 1981Convention take
account of the specific characteristics of the exchange of data by
police and judicial authorities
But data protection of fundamental significance
To redress this imbalance, the Commission adopted a
complementary Proposal for a Council Framework Decision
Intends to provide a comprehensive protection scheme for
personal data in the in the field of Justice and Home Affairs. It
also supplements multilateral efforts like the Treaty of PrГјm.
However: many controversies
пЃ®
пЃ®
пЃ®
пЃ®
re the scope of the Framework Decision
security v privacy and its consequence for the
data protection principles
limitations to the principle of availability
within and outside the EU
Schengen JSA, Europol JSB, the Eurojust
JSA and the CIS JSA
The March 2007 German PresidencyвЂ™s Proposal
пЃ®
пЃ®
пЃ®
general rules on the lawfulness of processing of personal data,
provisions concerning specific forms of processing, rights of
the data subject, confidentiality and security of processing,
judicial remedies, liability, sanctions, national supervisory
authorities, and the transfer to third states.
exchange of data between Member States, thus excluding data
processing at a domestic level
applies to Europol, Eurojust and the Third Pillar Customs
Information System whereas authorities or other offices
dealing specifically with matters of national security are
explicitly excluded from its scope (Article 3 II),
continuation
Fusing of Schengen JSA, Europol JSB, CIS JSA into a single data
protection supervisory authority, merging with it the advisory
working party provided for in the earlier draft.
пЃ® exchange of data with third states.
FD is without prejudice to any obligations and commitments
incumbent upon Member States or upon the European Union
by virtue of bilateral and/or multilateral agreements with third
States.
personal data received from or made available by the competent
authority of another Member State may be transferred to third
States or international bodies only if the competent authority
of the Member States which transmitted the data has given its
consent to transfer in compliance with its national law.
пЃ®
Where are we now?
пЃ®
пЃ®
Discussion on FD on DP in 3rd pillar shows little willingness of Member
States to achieve a harmonised level of DP going further than CoE
Convention.
In fact:
пЃ® Text under discussion is вЂњagreement of minimumsвЂќ (lower common
denominator), partly because of unanimity requirement
пЃ® Scope reduced to cross-border exchange of personal data (and does not
affect existing bilateral agreementsвЂ¦)
пЃ® Many exceptions included and some important issues missing
пЃ® Doubts as to whether the text is even compliant with Convention 108
and additional protocol (see also EDPS opinions + press release of
20/9/07)
пЃ® Eurojust/Europol/Schengen DP rules go much further than proposed
text (after several formal motivated requests, happily excluded from
scope of application)
Diana Alonso Blas (Brussels)
пЃ®
пЃ®
пЃ®
пЃ®
Convention 108 offers a basic common approach that
needs to be fully respected
Any new instrument should respect CoE convention
+ basic principles Directive
Not in favour of detailed overall instrument covering
all pillars, not even the whole third pillar.
Specificities of police and judicial work need to be
taken into account (need for very clear and specific
tailored made rules for the diverse third pillar areas).
An overall instrument would have to be relatively
general but, if it has to have any added-value, it
should go further than CoE convention.
Future: (Draft) Reform Treaty
пЃ®
пЃ®
пЃ®
End of pillar structure
But this does not imply automatic application
of Directive to everything
Sectoral declaration on DP in police and
judicial cooperation in criminal matters
foreseen
Data protection & External relations under First Pillar
пЃ®
пЃ®
пЃ®
Member States shall provide that the transfer to a
third country of personal data only if, the third
country in question ensures an adequate level of
protectionвЂќ (Art. 25.1 Directive 95/46/EC) .
Article 25 also contains the procedure to determine
whether there is an adequate regime.
Commission, not the Member States, has the last say
in the procedure
Data protection & External relations under Third Pillar
пЃ®
пЃ®
Discussion: need to copy adequacy idea in JHA?
2001 Additional Protocol to the 1981 Council of
Europe Convention introduces principle re transfer of
data across national borders: вЂњEach Party shall
provide for the transfer of personal data to a recipient
that is subject to the jurisdiction of a State or
organisation that is not Party to the Convention only
if that State or organisation ensures an adequate level
of protection for the intended data transferвЂќ
(Additional Protocol, Article 2.1).
How is it happening now?
This could be answered discussing the following
examples
пЃ® Eu 2000 Convention on Mutual Assistance in
Criminal Matters
пЃ® Europol
пЃ® Pnr
пЃ® Swift
Article 23 EU 2000 Convention on Mutual Assistance in
Criminal Matters
first supranational rules establishing data protection requirements
for the judiciary in their cross border activities вЂ“ even though
they are very flexible and have clearly not the purpose of limiting
the work of the judiciary.
пЃ® No requirement of adequacy
пЃ® According to Article 23, personal data communicated under the
Convention may be used by the Member State to which they
have been transferred:
(a) for the purpose of proceedings to which the Convention applies;
(b) for other judicial and administrative proceedings directly related
to them;
(c) for preventing an immediate and serious threat to public security;
(d) for any other purpose, only with the prior consent of the
communicating Member State, unless the Member State
concerned has obtained the consent of the data subject
пЃ®
Europol co-operation with third parties
Types of agreements:
пЃ® Operational agreement
Includes the exchange of personal data
(secure link in place)
пЃ®
Strategic / Technical agreement
Does not allow exchange of personal data
Europol Operational Agreements
Includes the exchange of personal data
пЃ® Norway
пЃ® Iceland
пЃ® Switzerland
пЃ® Bulgaria Romania
пЃ® Croatia
пЃ® Canada
пЃ® USA
Federal Bureau of Investigation (FBI) & United
States Secret Service (USSS
пЃ® Eurojust
пЃ® Interpol
Europol Strategic / Technical Agreements
Does not allow exchange of personal data
пЃ® European Commission (EC)
пЃ® European Central Bank (ECB)
пЃ® European Monitoring Centre for Drugs and Drug Addiction
пЃ® European Anti-Fraud Office (OLAF)
пЃ® United Nations Office on Drugs and Crime (UNODC)
пЃ® World Customs Organisation (WCO)
пЃ® Colombia
пЃ® Russia
пЃ® Turkey
External relation in the FD data protection?
пЃ®
пЃ®
пЃ®
Commission October 2005 proposal sets up
system similar to Directive 95/45
German Presidency Draft march 2007:
nothing!
Preamble вЂњpersonal data are transferred from
a Member State of the European Union to third
countries or international bodies, these data
should, in principle, benefit from an adequate
level of protectionвЂќ
Conclusion
пЃ®
пЃ®
пЃ®
Pros and Contras option 1 or 2 re data protection are hard to assess, But:
Whereas a European approach, based on the adequacy principle, is followed in the
First Pillar, this is not the case for the Third Pillar. Though there may be arguments
against such a European approach in the area of JHA my examples, including the
Europol, PNR and Swift cases, learn that the absence of such a European approach
can cause problems.
Without ignoring the benefits and arguments in favour of tailor-made regulations, I
conclude that the example of Europol dealing with third countries, and of PNR and
Swift, in part illustrated the lack of credibility of the current EU data protection
system. Having to deal with externalities such as powerful third countries (in
particular the U.S.) that do not always consult the EU officials when collecting
вЂ�EuropeanвЂ™ data or data in (some) EU Member States, it would be beneficial to
develop a general framework for data protection in the Third Pillar and for transfers
of data to Third Parties with clear rules and responsibilities and a well-defined role
for the EU institutions that live up to the European dimension behind cases such as
PNR and Swift. Contrary to Blas, I agree with Poullet that a uniform set of data
protection standards applicable to all pillars would be desirable
Thank you for your attention!